By Krishna A. Jani, Flaster Greenberg
On Monday, June 1, federal lawmakers proposed the Exposure Notification Privacy Act (ENPA), a piece of bipartisan legislation aimed at protecting consumer privacy and promoting public health in the development of exposure notification technologies as a way to combat the spread of COVID-19. The legislation makes participation in commercial online exposure notification systems voluntary and grants consumers control over their personal data. Moreover, the Act would limit the types of data that may be collected, as well as how that data can be used.
This legislation was introduced on the heels of competing privacy bills proposed by Republicans and Democrats respectively — the “COVID-19 Consumer Data Protect Act of 2020” and the “Public Health Emergency Privacy Act.”
What differentiates the EPNA from the other proposals?
This act would prohibit any automated exposure notification service not operated by, or in collaboration with, a public health authority. The act would require that automated exposure notification services allow only submission of medically authorized diagnoses of infectious diseases. Unlike the other proposals, this act would not prohibit data retention for public health research purposes.
Moreover, this act would cover only operators of “automated exposure notification services,” defined as any website or mobile application designed for use or marketing to digitally notify an individual who may have become exposed to an infectious disease, whereas the previously proposed acts would cover both symptom tracking and other apps.
This act also encompasses a broader definition of personal data than the previous bills. For example, the new proposal covers all data linked or “reasonably linkable” to any individual or device that is collected, processed, or transferred in connection with an automated exposure notification service. The CDPA, by contrast, specifically defines covered data as health information, geological data, and proximity data.
Unlike the other two proposals, the EPNA would require the Privacy and Civil Liberties Oversight Board to issue a report within one year after enactment that assesses “the impact on privacy and civil liberties of government activities in response to the public health emergency related to” COVID-19. It would also require the board to make recommendations for how the government should mitigate threats posed by the current pandemic and similar emergencies in the future.
How is this act similar to the others?
As with both the republican and democratic proposals, the EPNA would grant enforcement power in the form of litigation authority to both the Federal Trade Commission and state attorneys general.
This act would also require affirmative express consent to enroll individuals in automated exposure notification services.
This act would also expressly prohibit workplace discrimination against people who decline to utilize contact-tracing technology, similar to the Public Health Emergency Privacy Act.
This is the third in a series of COVID-related federal data privacy bills meant to tackle the difficulties posed by collecting data to combat the spread of infectious disease with the public’s increasing concerns with the privacy and cybersecurity of their data.
Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups.